CISA warns of GeoServer critical flaw under active attack
Take action: If you are running GeoServer, time to apply a patch or better yet, upgrade to a new version. If that's not an option, consider the mitigating action of removing gt-complex-x.y.jar, but that may break some functionalities - be careful and test. This is especially important if the Geoserver is exposed to the internet.
Learn More
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert concerning a critical Remote Code Execution (RCE) vulnerability in GeoServer under active exploitation.
GeoServer is an open-source server written in Java that facilitates the sharing, editing, and publishing of geospatial data.
The vulnerability, tracked as CVE-2024-36401 (CVSS score 9.8), stems from a failure in the GeoTools library API used by GeoServer to evaluate property and attribute names for feature types. This evaluation unsafely passes these names to the commons-jxpath library, which can execute arbitrary code when parsing XPath expressions.
Exploitation can be achieved through multiple OGC request parameters, including:
- WFS GetFeature
- WFS GetPropertyValue
- WMS GetMap
- WMS GetFeatureInfo
- WMS GetLegendGraphic
- WPS Execute requests
Successful exploitation allows attackers to execute arbitrary code on affected systems, potentially leading to severe consequences such as data breaches and system compromis
Affected Versions
- GeoServer:
- Versions prior to 2.23.6
- Versions 2.24.0 to 2.24.3
- Versions 2.25.0 to 2.25.1
- GeoTools:
- Versions prior to 29.6
- Versions 30.0 to 30.3
- Versions 31.0 to 31.1
Users are strongly advised to upgrade to the latest versions of GeoServer and GeoTools, which contain patches addressing this vulnerability. The patched versions include:
- GeoServer:
- 2.23.6
- 2.24.4
- 2.25.2
- GeoTools:
- 29.6
- 30.4
- 31.2
For those unable to upgrade immediately, security patches are available for affected versions. These patches can be downloaded from the official GeoServer and GeoTools repositories and include updates to the gt-app-schema, gt-complex, and gt-xsd-core jar files.
As a temporary measure, users can remove the gt-complex-x.y.jar file from their GeoServer installation. This action will eliminate the vulnerable code but may disrupt some GeoServer functionalities, especially if extensions in use require the module.
For GeoServer WAR Deployments:
- Stop the application server.
- Unzip geoserver.war into a directory.
- Remove the WEB-INF/lib/gt-complex-x.y.jar file.
- Rezip the directory into a new geoserver.war.
- Restart the application server.
For GeoServer Binary Deployments:
- Stop Jetty.
- Remove the webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar file.
- Restart Jetty.
